Tuesday, August 26, 2014

“Facilities, Systems and Equipment” – the Sequel

One of the
things that gives me the most pleasure about writing this blog is seeing that
people are constantly going back and reading previous posts. This is certainly how I would like to see it
work, since I have addressed different topics at different times. It would be nice to have everything rolled up
into a single book (I imagine I’ve written a book or two in length by now), but
given all the uncertainty with CIP v5, I don’t think that’s possible yet. Maybe a year from now.

Usually, the
old posts that people are reading are those I’ve referred to in recent
posts. However, that is not the case
with the post “Facilities,
Systems and Equipment” that I wrote Aug. 28 of 2013. I don’t believe I’ve ever made a reference
back to that post, yet recently it’s had a few dozen hits. This may have something to do with the fact
that I’ve been talking a lot about the use (or misuse) of the word “Facilities”
in criteria 2.3 – 2.8 of Attachment 1, even though that issue has little to do
with the issue I addressed in the 2013 post.

I’ll let you
read the 2013 post on your own, but to summarize it briefly, it expresses complete
mystery as to why the words “Facilities, systems and equipment” are used in
Section 4.2 of CIP-002-5 (actually, that same section appears in every other
CIP v5 standard as well). Working out
from the idea that it was simply a mistake on the part of the SDT (“What were
they thinking…?”), it then draws a couple conclusions which should be important
to NERC entities. In this post I want to
update those conclusions, because my thinking – and the overall situation – has
changed since that time.

First, I
want to say I remain as mystified as I was a year ago as to why those words are
in Section 4.2; I’ll let you read why I feel that way in the old post. But I do need to disagree with two of the
conclusions I drew in the post.

The first
conclusion I drew was that having this wording in there was going to lead to
the auditors requiring entities to show that, before even starting to comply
with Requirement 1, they had made a list of every
Facility, system or piece of equipment they owned. Listing Facilities wouldn’t be impossible,
but every system? And every single
monkey wrench? This would be a classic
case of paperwork solely for the sake of regulatory compliance. In that post, I recommended that FERC change
this wording (as well as the wording of the rest of R1), to prevent this from
happening.

Well, FERC
didn’t change any of the wording (or order it changed) when they wrote Order
791. But to be honest, I no longer see this
as being an issue. It has certainly
never come up in any discussion I’ve had.
I think everyone – entities and auditors – agrees this is hardly a
battle worth fighting, so I don’t think it’s at all likely it ever will come up. Section 4.2 simply doesn’t affect how the
entity complies with CIP-002-5.1 R1 (where there certainly are a lot of other battles
worth fighting!). I think it will just
be neglected by all concerned, and that’s fine with me.[i]

Note
(Aug. 27): I spoke too soon when
I said above that this is something that won’t affect how an entity complies
with CIP-002-5.1 R1. Just today I
corresponded with an entity that pointed out something to me that I had
mentioned in a couple posts (including this
one under the section “Questions of Scope”) but had put out of my mind for
a while: There is no way a control center could be considered a Facility,
according to the NERC definition of Facility (and the related definition of
Element). So the fact that 4.2.2 says
that all “BES Facilities” are what’s in scope for CIP v5 clearly implies – if you’re
one of those sticky people that insists that words have clear meanings – that no
control centers are in scope for CIP v5!
A small omission, don’t you think?

Of course, I advised the entity not to act on
this consideration, since I’m sure they won’t be able to make it stick with
NERC (plus there is an obvious contradiction with R1 and Attachment 1, which
refer repeatedly to control centers as being in scope). But it just goes to show that CIP-002-5.1 is
a sloppily-written standard.

The second
conclusion I drew is more important, though.
I said that “Facilities, systems and equipment” should be replaced by
the six asset types listed in R1 (control centers, transmission substations,
etc). I said this because I thought the
real “scope” of R1 was those six asset types.
In other words, I believed that the criteria in Attachment 1 all refer
to one of those six asset types, and if an asset isn’t on that list, you don’t
have to ever consider it as you go through the criteria. I recommended that FERC make that
substitution in the language of 4.2, but I also suggested that entities
interpret “Facilities, systems and equipment” to mean the six asset types.

This was my
belief last August, and it remains today the belief of some (perhaps many) in
NERC and the regions, as well as many entities.
But in January or February of this year, an Interested Party pointed out
to me that this was simply not the case; the six asset types listed in R1 are
the locations where BES Cyber Assets
and BES Cyber Systems can be found, and the criteria in Attachment 1 don’t
necessarily refer just to these types of assets (although they can in some
cases). I have discussed this in a number
of posts, including this
one.

The third
and last point I made (I won’t call it a “conclusion”) was that the SDT’s use
of the word “Facilities” in criteria 2.3 – 2.8 was simply a mistake.[ii] However, that is not the case, as I also had
revealed to me early this year. The use of Facilities was deliberate and also
correct, IMHO. My last
post discusses this in more detail.

The fact is,
the use of “Facilities” in Attachment 1 is totally unrelated to its use in
Section 4.2. The entity (and auditor)
can safely ignore its use in 4.2, yet still take full advantage of its use in
Attachment 1. But as far as I can see,
people are ignoring 4.2 but are not
yet taking full advantage of the term in Attachment 1.

Now that
I’ve heartily disagreed with my 2013 self, how would I rewrite “Facilities,
systems and equipment” in 4.2 so that it was meaningful and helpful, rather
than irrelevant at best? My answer to
this is simple: replace the words “Facilities, systems and equipment” in
Section 4.2 with “assets”. In other
words, all assets (with a lower case a, since it isn’t a defined term) can
potentially be the subject of the Attachment 1 criteria.

You may ask,
“Why don’t you say ‘assets or Facilities’?”
The answer is I believe every Facility is an asset, although the
converse isn’t true.

You may next
ask why I leave out “systems and equipment”.
That is because I don’t think those words should be in Section 4.2,
which is really there to let the entity know what “big iron” will be in scope
for v5, not “little iron”. And if you
look at the title of the section – “Facilities” – as well as Section 4.2.2,
which says that “all BES Facilities” are in scope, that just reinforces my
opinion.[iii]

The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.

[i]
Of course, the very fact that I’m touting the fact that the miswording of 4.2
has no real consequence – and saying that is a good thing – is kind of sad when
you think about it. What should be the
case is that a requirement be well-worded and meaningful, even if it might be
misguided. Simply saying that it can
safely be ignored – since there are plenty of other places in CIP v5 where the
wording is either confusing or contradictory, and thus cannot be ignored – is faint
praise indeed.

[ii]
Actually, as I said in a paragraph labeled “4” close to the end of the post, I
thought the SDT had done this because they were concerned about separating out
transmission from distribution “Facilities” in substations – since only the
former are subject to the criteria.

[iii]
Of course, the title of 4.2 shouldn’t be “Facilities” but “assets”. And 4.2.2 should read “All BES assets”. But as I’ve already said, it doesn’t
particularly matter what this section says.